F5 BigIP Message Security Module (MSM)

I've been working with the MSM module for the F5 (BIGIP) load balancers for several months now. I'd like to share my impressions of the product along with some handy tips that will hopefully save you some time. Sadly, documentation for this product is somewhat lacking and I've worked with a few experts at F5 networks to sort out the implementation.

Please review the product data sheet available here. Some of the concepts of the MSM might take a bit to get your head around if you have not worked with the F5 load balancers previously.

The MSM module is designed for high volume email providers. It is intended to augment existing email scrubbing resources. (spamassassin,rbls, etc). It works by monitoring inbound SMTP connections. The sending mail server IP is compared against the TrustedSource IP reputation database powered by Secure Computing. The module does a DNS query against the TrustedSource systems and the score returned is used to determine the fate of the SMTP connection. The message can be dropped,forwarded on to additional email scanning resources, or delivered. As this happens at the network level, significant server resources can be saved. As this product generates a significant amount of DNS traffic, a DNS server dedicated to these scoring queries may be required depending on email volume.

The MSM is powered by the IRULE facilities of the F5 load balancer. Message scoring and server resources must be configured after the install script finishes. I was able to get the MSM running within 20 minutes.

The MSM module works as advertised and we've been able to drop approx 70% of inbound SMTP connections before any email processing is required. After some tweaking of the scoring this product proves to be a quality asset.

Features. I feel the product is a bit lacking in features and I'm hoping to see these added to future releases. Currently there are no SNMP MIBs to allow easy polling of the connection statistics. These stats are available within the UI of the F5, however I am a graph junky and I'd like to be able to see historical data. The MSM module also can only be assigned to one inbound SMTP server IP.

Price. It's expensive. However enterprise providers should be able to justify the cost as significant server resources can be conserved.

Overall, the product works as advertised and has been reliable. I would recommend it to enterprise email providers.

Feel free to drop me a line if you have additional questions about the product.

Hi,
we've been testing MSM with an ISP for replacment for their Spamhous infrastructure. While I think Spamhous does a really good job, MSM has a better TCO on the long run (purcase + support VS yearly subscription). We've put a F5 LTM + MSM in front of their AA systems in no_drop mode (meaning it just scored in the logs and let everything through) and compared the scores with Spamhouse. While the scoring works a bit differently
- MSM scores from -140 (trusted) to +140 (really evil)
- Spamhouse scores 100 (evil), 50 (semi evil), 0 trusted

As this ISP drops all 100 SH scored we were comparing the results to this SH score and it turns out that somewhere between MSM scores 30-20 you get a breaking point - both systems drop the same ammount, some 2-3 % are let through by one or the other due to different databases. Our choice was score everything above score 28 gets dropped.

The MSM defaults are a bit more permissive (probably afraid of false positives), it drops everything between 140-80, 80-50 gets sent to "manual analysis queue" - like you'll be analyzing 100's k mail daily), 50-> -50 is "let the second AA layer decide" and <-50 is trusted..

I'm just posting this to help people get some comparison as it's really difficult to get any real-life data and all the vendors reports are always superior to others..

I have been using F5 MSM as one of the first lines of defense for several years now. Refusing mail that scores above 50 with TrustedSource works well and blocks 70-80% of incoming email before the connections can reach the server infrastructure and the more resource heavy filtering layers.

quarantine:45
refuse:50
suspect:10
trusted:-50

The above config values result in a very low false positive rate for our ISP mail servers.

I have the Spamhaus RBL too which blocks an additional 3% of email that gets past MSM.

Hi popowich,
I see the defaults are way too high for you as well. Btw, do you treat quarantine mail any differently than suspect (e.g. have a slow queue for those) or do you pass it to the same AA layer as the suspect bunch?
Also, do you see much false positives on trusted queue?

I treat any email that wasn't rejected the same and let the other levels of filtering handle it. Do I see much spam that scored as trusted? Good question! It will take a little work but I'll see what I can figure out.